IntSights' Blog

WannaCry Outbreak Anniversary: What We Really Learned Over the Past Year

On May 12, 2017, WannaCry ransomware surprised the world and began spreading across hundreds of thousands of computers around the globe. To build the attack, WannaCry’s creators exploited an EternalBlue vulnerability, which was stolen by the Shadow Brokers from the NSA (National Security Agency). They also leveraged additional tools and exploits, enabling the ransomware to spread quickly and encrypt vulnerable computers on its way.

The WannaCry attack made international headlines and changed the way we think about malware attacks. Here’s what we’ve learned in the past year since the initial WannaCry outbreak.

Sad But True

The sad part about the WannaCry attack is that most organizations could have avoided it. EternalBlue was patched by Microsoft about a month before its first hit, but many organizations failed to have the proper patching processes in place.

Once again, this shows that proper cyber security defense strategy starts with basic security processes, such as patch management. Yet even a year after the initial outbreak, we still hear about incidents of WannaCry infections and other uses of EternalBlue exploits. It’s amazing that after all the attention from WannaCry, organizations around the world still fail to enforce proper patch management processes.

What is the EternalBlue Vulnerability?

EternalBlue (MS17-010) is the name for the software vulnerability in Microsoft's Windows operating system. The vulnerability works by exploiting the Microsoft server message block 1.0. The SMB is a network file sharing protocol which allows applications on the computer to read and write to files and to request services that are on the same network. Even though this is a major vulnerability, organizations still have machines that are not patched and can be exploited. Hackers have taken advantage by continuing to launch new attacks to exploit this vulnerability, even though its urgency was exposed in the WannaCry attack.

2017 is remembered as the year of ransomware. WannaCry was just the first of many ransomware attacks throughout the year, with some other notable attacks being Jeff, AES-NI, Petya and NotPetya.

Major Attack, Major Victims

The WannaCry attack managed to infect more than 250,000 computers around the world; among the victims:

NHS (National Health Services) - UK

NHS (National Health Services) - Scotland

Hitachi Ltd - Japan

Renault Group - France

FedEX - Multiple sites around the globe

O2 Germany

Ministry of Foreign Affairs - Romania

Boeing Commercial Airplanes - USA

University of Montreal - Canada

Chinese public security bureau - China

These are large organizations that were affected by this attack, causing significant financial damage across the globe. And beyond just the financial damage, WannaCry created a feeling of terror and panic.

How to Protect Yourself Moving Forward

Even though we’re a year removed from the initial outbreak, many organizations still have not updated their security and IT processes appropriately. Here’s what you can do to minimize the chance of a future attack like WannaCry:

Make sure that your patch management process is running on a regular basis and that ALL of your devices are being updated appropriately.

Leverage IOC enrichment to prioritize which vulnerabilities impact your organization so that your team can patch effectively with minimal user interruption.

Train your users not to click on any links or download attachments from unknown or unexpected emails/senders.

Use strong authentication methods in order to protect your credentials

Make sure that you’re backing up your data and systems on a regular basis. This is a failsafe if you are ultimately hit with a ransomware attack.

Conclusion

WannaCry made international headlines when it first started spreading last year. Yet, even a year later, there are many devices that still are not yet patched and continue to be exploited. And this only accounts for exploits used in WannaCry. There are hundreds of other vulnerabilities that get exploited throughout the year and don’t gain the media attention of WannaCry. Organizations need to have a greater sense of urgency around patching to ensure they are protected from future attacks like WannaCry.

However, patching can be a tricky balancing act. Patches can cause conflicts with existing software and often interrupt users from their daily job responsibilities. While it’s important to keep software up-to-date, you also need to understand the criticality of a vulnerability and if it can be exploited on your systems. Enriching Indicators of Compromise (IOCs) with your own asset data can help you prioritize which vulnerabilities pose the largest threat to your organization and need to be addressed first.

Itay Kozuch is the Director of Threat Research at IntSights. He is a cybersecurity expert with over a decade of experience managing cyber-security and threat research. Prior to IntSights, Itay served as a Manager and Head of Cyber Technologies at KPMG. He previously led cyber projects and served as a CISO for major companies in Europe, West Africa and Central America.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.